Possible Security Threat?

[hallsofmontezuma]

Protect access to your wp-admin directory with .htaccess. There are a number of other things you could do at the server level to help here but that's by far the easiest.

[Shane]

@hallosmontezuma Can't really do that since what if your plugins ended up using something inside wp-admin. Mostly images.

I worked on this issue for about 30-45 minutes trying to replicate the problem, but I can tell you I was 80% successful. It had to be an extreme set of circumstances and oddities out of the user who installed it.

[itsananderson]

@hallosmontezuma Can't really do that since what if your plugins ended up using something inside wp-admin. Mostly images.

I don't think I've ever seen a plugin that did this. Seems like a poor practice if there are plugins that do.

[Otto]

but what if the database server crashed and when it came back online, your database was empty meaning you could install WordPress right away again. I think this is a fringe case but it shows that it's possible.

Very fringe case indeed. I can't think of a sane database setup that would bring the actual database back, but also make it have no tables in it. Downside is that I can't think of any way to detect that happening vs. an actual new installation.

So wouldn't removing install.php simply prevent this fringe case from happening?

Yes, it would work, but an upgrade would put the file right back.

[hallsofmontezuma]

Password protect your wp-admin directory. Only allow access to whichever files you want from your IP or from within the server or whatever you want. You can certainly use .htaccess in a variety of ways to prevent this.
Having said that, the way to correct this is to find out why you're having database issues. Why would MySQL crash, and then your database is restored with the same db name, user, password, but no tables? I would find out why that's happening and fix that issue.

[hallsofmontezuma]

Oh by the way, welcome to WP Tavern Otto. It's great to see you here.

[pbarnhart]

An issue may be all of the “readme” and “info” and other files left behind - not just for WordPress and all the plugins and templates, but other apps as well. I recently found in my server logs two strange bots from Chinese IPs that were active looking for readme txt files. If a particular plugin or app version has a vulnerability, it certainly may be more effective to scan the txt files that could indicate versions.

[Ryan]

Yeah, I'm surprised version numbers aren't omitted from any form of public view in web software, but developers don't seem to bother. In fact it is literally impossible to avoid it with WP plugins since they actually require a readme.txt file including the version number.

I guess you could manually remove them from public view with .htaccess or something like that though - perhaps a potential plugin could be developed to do this? Admittedly I probably wouldnt' use something like that anyway as I trust the WP guys to keep the security up to date and can't be bothered with the hassle of another plugin.

[Otto]

The reason it makes no sense to remove version numbers is that it doesn't make any sense to scan for version numbers in the first place.

A vulnerability on a website can basically be distilled down to sending some form of HTTP request which attempts to hack into the site and give some form of further access to it. Sending this request is the attack itself. It either succeeds or it fails. Scanning for a version number, on the other hand, is also an HTTP request of some sort. So, why bother to scan looking for vulnerabilities? Just send the attack packet in the first place. If they're vulnerable to that attack, then you're in.

The notion of scanning for versions and such is based on a mistaken notion of how websites are hacked. Nobody doing this sort of thing takes a single website then tries to figure out a way into it. Instead, they take a newly discovered vulnerability, write a short program to implement the attack, then run it on a big list of thousands of websites, many of which they get into and which then automatically get hacked by their attack software. They're looking for volume here, not quality.

The fact of the matter is that nobody cares enough about you to attack your website specifically. To the hacker, you are non-existent. They're not trying to upset you or attack you, they're trying to gain as much control as they can in order to further their own ends. To have untraceable web hosting for botnets and such, for example. For this sort of thing, volume is critical, because the more hacked sites they have, the more likely those sites will remain around long enough for them to be used effectively.

So hiding version numbers is rather pointless. It doesn't help anything, since there's little incentive for the hacker to care what version you have.